Jaguar Land Rover says hackers may have taken data after cyber-attack halts UK production

Jaguar Land Rover said Wednesday that some data may have been taken by hackers in a cyber-attack that has halted car production and forced workers to be sent home.

The vehicle maker, owned by India's Tata Motors, initially told regulators it did not believe customer information had been stolen. Now, 11 days after the incident, JLR said its ongoing forensic investigation had led it to conclude "some data has been affected" and that it was informing the relevant regulators. The company declined to say publicly whether the affected information belonged to customers, suppliers or JLR itself.

Production lines at the company's plants in Solihull, Halewood and Wolverhampton in the U.K. have been stopped since the beginning of last week, and worldwide output of around 1,000 vehicles a day has been halted. JLR said the affected plants in the U.K. are not expected to restart until Thursday at the earliest.

A group calling itself Scattered Lapsus$ Hunters, which claimed responsibility for cyber-attacks on British retailers earlier this year, has said it was behind the JLR intrusion. Last week the Information Commissioner's Office confirmed that JLR had reported an incident to the U.K.'s data protection regulator.

"As a result of our ongoing investigation, we now believe that some data has been affected and we are informing the relevant regulators," JLR said in a statement on Wednesday. "Our forensic investigation continues at pace and we will contact anyone as appropriate if we find that their data has been impacted."

JLR shut down its IT networks in response to the attack and said it is working around the clock to restore systems. Company officials and outside security teams have described the restart of complex manufacturing IT as time-consuming and intricate, requiring careful forensic work to avoid further disruption.

The National Cyber Security Centre, part of the Government Communications Headquarters, is assisting the investigation. Chris Bryant, the newly appointed business minister, told members of Parliament on Tuesday that the government was "engaging with JLR on a daily basis to understand the challenges that the company and its suppliers are facing." Local members of Parliament have been invited to a half-hour question-and-answer session with the company on Friday.

Ciaran Martin, professor of practice in the management of public organisations at the University of Oxford and former head of the NCSC, said the immediate operational impact of such attacks can be as harmful as data loss. Speaking on BBC Radio 4's Today programme, he said the law currently prioritises protecting customer data, but securing a firm's ability to operate is equally important. "There's a real difference between somebody breaking into your house when you're not there or when you're asleep and maybe photocopying your bank records and your medical records and using that to defraud you. There's a real difference between that and being punched in the face and having your legs broken," he said.

The attack follows earlier incidents this year that affected other U.K. businesses. A cyber-attack on retailer Marks & Spencer disrupted online ordering for months and cost the company about £300 million, highlighting the potential economic impact when retail and manufacturing IT systems are compromised.

JLR did not provide a timeline for when full production would resume, and declined to identify any affected individuals. The company said it would notify anyone directly if its investigation established that their data had been impacted. The NCSC and JLR continue to work together on the probe, while the company and government officials monitor operational and supply-chain risks caused by the outage.